Chapter 10. DNS Diagnostics and Tools

This chapter defines tools that may be provided with BIND releases, are generally available or just jolly useful! The tools described either provide specific services or may help in diagnosing problems.

Contents

10.1 Overview and Introduction

BIND provides a number of tools that are invaluable when testing or diagnosing problems. Of these named-checkzone (validates zone files for correctness) and named-checkconf (checks the named.conf file) are invaluable for finding those stupid problems that we can all introduce when editing files. They have the additional property that they may prolong life by removing the blind panic that ensues after making a trivial edit and reloading BIND only to find that the live system is no longer functional due a parameter error and which always seems to take longer to find when we know that hundred of queries are being rejected because the name server is off-the-air.

rndc is the remote access tool that allows selective reload of zones and to which many dns administrators are addicted. It has serious security implications if not properly installed and configured.

nsupdate is a tool that allows dynamic updating (DDNS) of zone files. Extreme care must be taken when configuring BIND to enable DDNS since you may inadvertently open up your DNS zone files to the world - while this is an extremely friendly, neighborly, thing to do it may not always be wise.

Finally, the Really Big Issue™ is whether to use nslookup or dig. With the macho guys generally regarding nslookup users as wimps. There is no doubt that dig provides more useful information than nslookup for those that understand the detailed information that is displayed, however if you work with multiple platforms, especially windows, you have no choice but to be familiar with nslookup since this is the only tool provided with the standard release. One of the happy side-effects of installing BIND on Windows is that you get all its diagnostic tools including dig.

10.2 NSLOOKUP

nslookup is officially deprecated in favour of dig (though we note that current versions no longer ouput that deprectated warning message which may indicate a change of heart). nslookup is however almost universally available - even when dig is not - this especially true on windows systems where dig is still pretty exotic. Old utilities do not die they just slowly fade away!

Command Format

nslookup in general returns A or PTR records but specific options can be used to override the default. There are both command line and interactive formats available.

nslookup maintains a set of configuration parameters (that may be modified) to add power to the command line. These parameters can be displayed using the -all (or set all in interactive mode) argument.

Quick Usage examples

The following are quick examples of common usage - all the options are explained below in mind numbing detail:

Format 2 - Host lookup

Returns the A record for www.example.com using the DNS server at 192.168.255.53. The command format allows either an IP or a name so the above command could have been written as:

nslookup www.example.com another.domain.com

Interactive Format

Interactive format (format 3 and 4 above) provides a single prompt (>) and allows any command line option to be entered. To terminate interactive mode you can use CTRL-C (Windows and *nix) or CTRL-D (*nix only) or exit (Windows and *nix).

Options

nslookup provides a dizzy number of options that vary its processing. Some of these options are only available in interactive mode. The Windows version adds a couple of commands. In each case Mode defines B = Interactive and command line format, I = Interactive only, C = command line only, W = Windows only. Multiple options can be specified with a single command.

option

params

mode

processing

d

-

C

Lists information for the domain. Gives SOA record and NS record details.

ls

[opt] domain

I

list all the information for the target domain. Takes the optional extensions > or >> filename to output to a file for subsequent processing. The options supported are:

-a

lists aliases (CNAME) in the domain (synonym for -t CNAME)

-d

The default behaviour. Lists all records in the domain (synonym for -t ANY)

-h

Lists all information records in the domain (synonym for -t HINFO)

-s

Lists all well known service records in the domain (synonym for -t WKS)

-t

List the specific record type in the domain e.g. -t A

lserver

dns

I

sets the dns for subsequent commands. May be either a name or an IP. The name or IP is looked up using the original default dns (before any server or lserver commands were issued).

root

root-dns

B

changes to root server used in various commands.

server

dns

I

sets the dns for subsequent commands. May be either a name or an IP. The name or IP is looked up using the current default dns. The default server is defined in /etc/resolv.conf for *nix systems and network properties for Windows systems.

options which work with 'set' in interactive mode

In interactive mode these options are preceded with set and operate until changed with another set directive. In command line mode they are preceded with - and operate on a single command. In a number of cases a short form is also provided.

all

-

B

displays a list of the default values used by nslookup, including the DNS server. Typical ouput

This parameter controls how the srchlist= value is used. search and defname are interrelated based on the following matrix for targets which are not FQDNs:

search

defname

add domain names from srchlist or until answer found

nosearch

defname

add domain name from domain

nosearch

nodefname

must be FQDN

search

nodefname

must be FQDN

In all cases the first result will terminate the command - you cannot use the srchlist to look up multiple targets. In general the srchlist is most useful with subdomains but can be used with different domains.

port=

port no.

B

changes the default port from the normal (53) to that specified by port no..

type=
querytype=

ANY
A
CNAME
HINFO
MINFO
MX
NS
PTR
SOA
TXT
UINFO
WKS

B

When using type= anything except A the following commands will only work on the domain root e.g.:

ANY with a domain root name will return any DNS RR with a blank name (label) entry - these include NS and MX records and thus it provides a quick way to get useful domain info.

retry=

number

B

controls the number of retries that will be attempted. Default is 4.

root=

dns

B

controls the dns used in the root command. Default is typically f.root-server.net. (on *nix) and a.root-servers.net.) on windows.

srchlist=

dom1/dom2

I

allows setting of a searchlist (up to six names are allowed separated by forward slash).

Examples - command line

# get mail records for a domain
nslookup -type=MX example.com
# list all the options being used and get host address
nslookup -all mail.example.com
# get SOA record using a specific DNS
nslookup -type=SOA example.com 192.168.23.53

Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.